Prepare for v3.64.0

.github/workflows/check-packs.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/docker.yml

@@ -11,7 +11,7 @@ jobs:
     name: Build Dockerfile
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/lint.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

.github/workflows/test.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/upload.yml

@@ -1,7 +1,7 @@
 on:
   push:
     branches:
-      - main
+      - release
 
 permissions:
   contents: read
@@ -14,9 +14,10 @@ jobs:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
+
       - name: Validate Secrets
         if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
         run: |
@@ -37,10 +38,6 @@ jobs:
       - name: Setup venv
         run: make venv
 
-      - name: validate
-        run: |
-          pipenv run panther_analysis_tool validate --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }}
-
       - name: upload
         run: |
           pipenv run panther_analysis_tool upload --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }}

.github/workflows/validate.yml

@@ -0,0 +1,42 @@
+on:
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    if: github.event.review.state == 'approved'
+    name: Validate
+    runs-on: ubuntu-latest
+    env:
+      API_HOST: ${{ secrets.API_HOST }}
+      API_TOKEN: ${{ secrets.API_TOKEN }}
+    steps:
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+      - name: Validate Secrets
+        if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
+        run: |
+          echo "API_HOST or API_TOKEN not set"
+          exit 0
+
+      - name: Checkout panther-analysis
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
+
+      - name: Set python version
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        with:
+          python-version: "3.11"
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Setup venv
+        run: make venv
+
+      - name: validate
+        run: |
+          pipenv run panther_analysis_tool validate --api-host ${{ env.API_HOST }} --api-token ${{ env.API_TOKEN }}

CONTRIBUTING.md

@@ -1,12 +1,45 @@
-# Contributing
+# Contributing to `panther-analysis`
 
-Please follow the [Code of Conduct](https://github.com/panther-labs/panther-analysis/blob/main/CODE_OF_CONDUCT.md)
-in all of your interactions with the project.
+Thank you for your interest in contributing to Panther's open-source ruleset!  We appreciate all types of contributions, including new detection rules, feature requests, and bug reports.
+
+## What makes a good detection?
+
+Please familiarize yourself with these helpful resources on writing high-quality Panther rules:
+
+- The blog post Panther's founder, Jack Naglieri, wrote on [The Anatomy of a High Quality SIEM Rule](https://jacknaglieri.substack.com/p/hq-siem-rules)
+- Panther's [Detection Documentation](https://docs.panther.com/detections)
+- The `panther-analysis` [Style Guide](https://github.com/panther-labs/panther-analysis/blob/main/STYLE_GUIDE.md)
+
+Especially excellent contributions will be considered for a quarterly prize! We will announce a winner in the **Panther-Analysis Seasonal Newsletter**, where we share updates and celebrate contributions to Panther’s open-source ruleset.
+
+## Testing your changes
+
+Before submitting your pull request, make sure to:
 
-## Pull Request Process
+- Write or update relevant unit tests
+- Redact any sensitive information or PII from example logs
+- Format, lint, and test your changes to ensure CI tests pass, using the following commands:
+    ```bash
+    make fmt
+    make lint
+    make test
+    ```
 
-1. Create new detections in the appropriate folder (or create your own) or make modifications to existing ones
+## Pull Request process
+
+1. Make desired detection changes. This may include creating new detections in existing log type directories, creating new log type directories, updating existing detections, etc
 2. Commit both the Python and Metadata files
 3. Write a clear commit message
-4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls)
-5. Incorporate feedback and merge once you have the sign-off of other code owners. If you do not have permission, you may request a reviewer to merge it for you.
+4. Open a [Pull Request](https://github.com/panther-labs/panther-analysis/pulls).
+5. Once your PR has been approved by code owners, if you have merge permissions, merge it. If you do not have merge permissions, leave a comment requesting a code owner merge it for you
+
+## Code of Conduct
+
+Please follow the [Code of Conduct](https://github.com/panther-labs/panther-analysis/blob/main/CODE_OF_CONDUCT.md)
+in all of your interactions with this project.
+
+## Need help?
+
+If you need assistance at any point, feel free to open a support ticket, or reach out to us on [Panther Community Slack](https://pnthr.io/community).
+
+Thank you again for your contributions, and we look forward to working together!

Pipfile

@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.52.1"
+panther-analysis-tool = "~=0.52.2"
 panther-detection-helpers = "==0.4.0"
 
 [requires]